---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

- name: DMZ firewall
  include_role:
    name: nftables.inc
    allow_duplicates: true

- name: enable IP forward
  copy:
    content: |
      net.ipv4.ip_forward=1
      net.ipv6.conf.default.forwarding=1
      net.ipv6.conf.all.forwarding=1
    dest: /etc/sysctl.d/30-ipforward.conf
    mode: 0600
  notify:
    - apply sysctl immediately

- name: enable kernel logging
  copy:
    content: |
      net.netfilter.nf_log_all_netns=1
    dest: /etc/sysctl.d/30-kernellog.conf
    mode: 0600
  notify:
    - apply sysctl immediately

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: back firewall
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers